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A collaborative object represents a data type (such as a text document) designed to be shared by 
a group of dispersed users. The Operational Transformation (OT) is a coordination approach used 
for supporting optimistic replication for these objects. It allows the users to concurrently update 
the shared data and exchange their updates in any order since the convergence of all replicas, i.e. 
the fact that all users view the same data, is ensured in all cases. However, designing algorithms 
for achieving convergence with the OT approach is a critical and challenging issue. In this paper, 
we propose a formal compositional method for specifying complex collaborative objects. The most 
important feature of our method is that designing an OT algorithm for the composed collaborative 
object can be done by reusing the OT algorithms of component collaborative objects. By using our 
method, we can start from correct small collaborative objects which are relatively easy to handle and 
incrementally combine them to build more complex collaborative objects. 

Key words: Collaborative Editors, Operational Transformation, Component-based design, Alge- 
braic Specifications. 

1 Introduction 



Motivation. Collaborative editors constitute a class of distributed systems where dispersed users interact 
by manipulating simultaneously some shared objects like texts, images, graphics, etc. To improve data 
availability, the shared data is replicated so that the users update their local data replicas and exchange 
their updates between them. So, the updates are applied in different orders at different replicas of the 
object. This potentially leads to divergent (or different) replicas - an undesirable situation for collab- 
orative editors. Operational Transformation (OT) is an optimistic technique which has been proposed 
to overcome the divergence problem [2|. This technique consists of an algorithm which transforms an 
update (previously executed by some other user) according to local concurrent ones in order to achieve 
convergence. It is used in many collaborative editors including CoWord ||9l and CoPowerPoint 191 (a 
collaborative version of MicroSoft Word and PowerPoint respectively), and the Google Wave (a new 
Google platfomo- 

It should be noted that the data consistency relies crucially on the correctness of an OT algorithm. 
According to Q, the consistency is ensured iff the OT algorithm satisfies two convergence properties 
TPl and TP2 (that will be detailed in Section 2). Finding such an algorithm and proving that it satisfies 
TPl and TPl is not an easy task because it requires analyzing a large number of situations. Moreover, 
when we consider a complex object (such as a filesystem or an XML document that are composite of 
several primitive objects) the formal design of its OT algorithm becomes very tedious because of the 
large number of updates and coordination situations to be considered if we start from scratch. 

Related Work. Research efforts have been focused on automatically verifying the correctness of OT 
algorithms by using either a theorem prover f6l or a model-checker tool [1]. To the best of our knowl- 
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edge, in is the first work that addresses the formal compositional design of OT algorithms. In this 
work, two static constructions (where the number of objects to combine is fixed) have been proposed 
for composing collaborative objects: (i) the first construction has as a basic semantic property to com- 
bine components without allowing these components to interact; (ii) as for the second one it enables 
components to communicate by means of a shared part. 

Contributions. As continuation of O, we propose in this paper how to combine an arbitrary number of 
collaborative objects by using a dynamic composition in such a way the objects are created and deleted 
dynamically. The most important feature of our method is that designing an OT algorithm for the com- 
posed collaborative object can be done by reusing the OT algorithms of component collaborative objects. 
By using our method, we can start from correct small collaborative objects (i.e., they satisfy convergence 
properties) which are relatively easy to handle and incrementally combine them to build more complex 
collaborative objects that are also correct. 

Roadmap. This paper is organized as follows: in Section [2] we give the basic concepts of the OT 
approach. The ingredients of our formalization for specifying the collaborative object and OT algorithm 
are given in Section[3] In SectionlH we present how to specify the dynamic composition of collaborative 
objects in algebraic framework. Section |5] gives the correctness of our dynamic composition approach. 
Finally, we give conclusions and present future work. 



2 Operational Transformation Approach 

Due to high communication latencies in wide-area and mobile wireless networks the replication of col- 
laborative objects is commonly used in distributed collaborative systems. But this choice is not without 
problem as we will see in next sub-section. 

2.1 Convergence Problems 

One of the significant issues when building collaborative editors with a replicated architecture and an 
arbitrary communication of messages between users is the consistency maintenance (or convergence) of 
all replicas. To illustrate this problem, consider the following example: 

Example 2.1 Consider the following group text editor scenario (see Figure [7]).' there are two users 
(sites) working on a shared document represented by a sequence of characters. These characters are 
addressed from to the end of the document. Initially, both copies hold the string " efecte". User 1 
executes operation op\ = Ins{\, "/") to insert the character " f" at position 1. Concurrently, user 1 
performs op2 = Del (5) to delete the character " e" at position 5. When op\ is received and executed on 
site 1, it produces the expected string " effect". But, when op2 is received on site I, it does not take into 
account that op\ has been executed before it and it produces the string " effece". The result at site 1 is 
different from^ the result of site 1 and it apparently violates the intention of op2 since the last character 
" e", which was intended to be deleted, is still present in the final string. 

To maintain convergence, an OT approach has been proposed in 0. It consists of application- 
dependent transformation algorithm such that for every possible pair of concurrent updates, the applica- 
tion programmer has to specify how to merge these updates regardless of reception order. We denote this 
algorithm by a function IT , called inclusion transformation ||8l. 
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Figure 1 : Incorrect integration. 
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Figure 2: Integration with transformation. 



Example 2.2 In Figure^ we illustrate the effect of IT on the previous example. When opj is received 
on site 1, op2 needs to be transformed in order to include the effects ofop\: IT {{Del{5) ,Ins{\ , "/")) = 
Del{6). The deletion position of op2 is incremented because op\ has inserted a character at position 
1, which is before the character deleted by op2- Next, op'2 is executed on site 1. In the same way, 
when op\ is received on site 2, it is transformed as follows: IT(Ins{l, "f"),Del{5)) = Ins{\, "/")/ opi 
remains the same because "f" is inserted before the deletion position of op2- Intuitively we can write 
the transformation IT as follows: 



IT(Ins(pl,cl) ,Ins(p2,c2)) = if (pi < p2) return Ins(pl,cl) 

else return Ins(pl+l,cl) 
endif : 



2.2 Transformation Properties 

Notation [op\;op2', ■ ■ ■ ',opn] represents an operation sequence. We denote Do{X,st) = st' when an oper- 
ation (or an operation sequence) X is executed on a replica state st and produces a replica state st' . 

Using an OT algorithm requires to satisfy two properties [7 ], called transformation properties. Given 
three operations op, op\ and op2, with op'2 = IT{op2,opi) and op'y = IT{opi,op2), the conditions are 
as follows: 

• Property TPl: Do{[op[;op'2],st) = Do{[op2',op'^],st), for every state st. 

• Property TFl: IT {IT {op, op i), op'2) = IT{IT{op,op2),op'i). 

TPl defines a state identity and ensures that if op\ and op2 are concurrent, the effect of executing 
op\ before op2 is the same as executing op2 before op\. This condition is necessary but not sufficient 
when the number of concurrent operations is greater than two. As for TP2, it ensures that transforming 
op along equivalent and different operation sequences will give the same result. Properties TPl and TP2 
are sufficient to ensure the convergence property for any number of concurrent operations which can be 
executed in arbitrary order fT\. 



3 Primitive Collaborative Objects 

3.1 Basic Notions 

In this sub-section we present terminology and notation that are used in the following sections. We 
assume that the reader is familiar with algebraic specifications. For more background on this topic see 

Eoia. 
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A many-sorted signature E is a pair {S,F) where 5 is a set of sorts and F is a 5* x S'-sorted set (of 
function symbols). Here, S* is the set of finite (including empty) sequences of elements of S. Saying that 
f : s\ y. ... X Sn^ s is m'L= {S,F) means that ^i . . . Sn & S* , s ^ S, and / € Fs^...s,„s- A L-algebra A 
interprets sorts as sets and operations as appropriately typed functions. A signature morphism <!>:£—)■£' 
is a pair if,g), such that / : 5 — )• 5' and g : Z — )• £« ^ an (S* x 5')-sorted function. Usually, we ignore the 
distinction between / and g and drop all subscripts, writing ^{s) for f{s) and <I>(<7) for g{<j) such that 
a € Fii. i„ .V. We denote the sort of booleans as Bool. 

Let X be a family of sorted variables and let Tz{X) be the algebra of £- terms. An equation is a 
formula of the form I = r where I, r ^ Tz{X)s for some sort s ^ S. A conditional equation is a formula of 
the following form: /\"^i a, = hi =^ I = r, where a,-, bt € Ti,{X)s^. An algebraic specification is a pair 
(Zjf') where £ is a many-sorted signature and £ is a set of (conditional) Z-equations, called axioms of 
(£,£■). A (£,£■) -model is a Z-algebra A that satisfies all the axioms in E. We write A \=^ E to indicate 
that A is a (r,£')-model. Given a signature morphism <J> : £ — ;• £' and a Z'-algebra A', the reduct of A' 
to Z, denoted <I>(A'), represents carriers A^.,^ for i' G 5 and operations a<j>(v) for a € ri|....v„..v- Given a 
E-equation f' of the form / = r. Then (i>{e) is 0(/) = 0(r) where O : ri;(X) ^ T^' (X') and X' = <I>(X). An 
important property of these translations on algebras and equations under signature morphisms is called 
satisfaction condition, which expresses the invariance of satisfaction under change of notation: 

Theorem 3.1 (Satisfaction Condition |3|). Given a signature morphism <!>:£—>£', a L' -algebra A' 
and a L-equation e, <t>{A') \=^ e iff A' \=^' 'i>{e). 

An observational signature is a many-sorted signature £ = {S,Sohs,F) where Sots C S is the set of 
observable sorts. An Observational Specification is a pair (£,£") where £ is an observational signature 
and £■ is a set of axioms. We assume that axioms are conditional equations with observable conditions. 
A context is a term with exactly one occurrence of a distinguished variable, say z- Observable contexts 
are contexts of observable sort. Let Cx{s,s') be the set of contexts of sort s' that contain a distinguished 
variable of sort s. We write c[t] for the replacement of distinguished variable z by the term t. A Z-algebra 
A behaviorally satisfies an equation I = r, denoted A \=^jyg I = r, iff A \=^ c[l] = c[r] for every observable 
context c. A model of an observational specification SP = (£,£') is a Z-algebra A that behaviorally 
satisfies every axioms in E. We write A |=^^^, SP or A \=^ij^ E. Also we write E \=^i,^ e iff A |=^^^ E 
implies A \=^i,^ e where e is a (conditional)-equation. 

3.2 Component Specifications 

Using Observational semantics we consider a Collaborative Object (CO) as a black box with a hidden 
(or non-observable) state Q. We only specify the interactions between a user and an object. In the 
following, we give our formalization: 

Definition 3.2 (CO Signature). Given S the set of all sorts, Sb = {State, Meth} is the set of basic sorts 
and Sd = S\Sb is the set of data sorts. A CO signature Z = (S,Sobs,F) is an observational signature 
where the sort State is the unique non-observable sort. The set of function symbols F is defined as 
follows: 

(1) ^MethState.State = {Do}, i>ieth Meth.Meth = {IT}, ^Meth State,Bool = {Poss}, andF^^s = ®for all Other 

cases where CO ^ SI and s G Sb. 

(2) A function symbol f '. s\ x S2 >i . ■ . x Sn —^ Meth is called a method ifsi ■S2- . ■. -s^ £5^. 

(3) A function symbol f '. s\ x S2 x . . . x s„ —?■ s is called an attribute if: (i) si ■S2- . .. - s„ contains only 
one State sort; and (ii) s £ Sd. 
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We use r, r', Zi, £2. ■ ■ ; as variables ranging over CO signatures. D 

The states of a collaborative object are accessible using the function Do which given a method and 
a state gives the resulting state provided that the execution of this method is possible. For this we use a 
boolean function Poss that indicates the conditions under which a method is enabled. The OT algorithm 
is denoted by the function symbol IT which takes two methods as arguments and produces another 
method. 

Definition 3.3 (Z-Morpiiism). Given CO signatures £ and £', then a Z-morphism <I> : Z — > Z' /^ a 
signature morphism such that: (i) ^{s) = sfor all s G S^; (ii) <!>(/) = ffar all f G T,o),s where (0 £ S^ and 
seSd; (iii)^{Sh) =S'fj (where 3',^ = {State ',Meth'}, <I>(State) = State' awJ <I>(Meth) =Meth'j.n 

The three conditions stipulate that £-morphisms preserve State sort, observable sorts and functions. 

Definition 3.4 (Collaborative Component Specification). A collaborative component specification is 

a tuple 'if = (LjMjAjTjE) where: (i) Z is a CO signature; (ii) M is a set of method symbols, i.e. M = 
{m I m G ZfflMeth and ft) G S^}; (Hi) A is a set of attribute symbols, i.e. A = {a\a G Zo ., where (O contains 
exactly one State sort and s G 5^}; (iv) T is the set of axioms corresponding to the transformation 
function; (v) E is the set of all axioms. We let ^, ^', "^i, "^2. • • •. denote collaborative component 
specifications. D 

In the following, we assume that all used (conditional) equations are universally quantified. 

Example 3.5 The following component specification CCHAR models a memory cell (or a buffer) which 
stores a character value: 

spec CCHAR = 

sort : Char Meth State 

opns: Do : Meth State -> State 

put char : Char -> Meth 

getchar : State -> Char 

IT : Meth Meth -> Meth 

maxchar : Char Char -> Char 
axioms: 

(1) getchar (Do(putchar(c) , St) ) = c; 

(2) IT(putchar(cl) ,putchar(c2)) = putchar (maxchar (cl ,c2)) ; 

CCHAR has one method putchar and one attribute getchar. Axiom (2) gives how to transform 
two concurrent putchar in order to achieve the data convergence. For that, we use function maxchar 
that computes the maximum of two character values. Note we could have used another way to enforce 
convergence. 

As the previous specification CNAT and CCOLOR model a memory cell which stores respectively a 
natural number value and a color value: 

spec CNAT = 

sort : Nat Meth State 

opns: Do : Meth State -> State 

putnat : Nat -> Meth 

getnat : State -> Nat 

IT : Meth Meth -> Meth 

minnat : Nat Nat -> Nat 
axioms: 

(1) getnat (Do (putnat (n) , St) ) = n; 

(2) IT(putnat(nl) , putnat (n2)) = putnat (minnat (nl ,n2)) ; 
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spec CCOLOR = 
sort : 

Color Meth State 
opns : 

Do : Meth State -> State 

putcolor : Color -> Meth 

getcolor : State -> Color 

IT : Meth Meth -> Meth 
axioms: 

(1) getcolor (Do(putcolor(cl) , St) ) = cl; 

(2) IT(putcolor (ell) .putcolor (ell) ) = putcolor (mincolor(cll ,cl2) ) ; 

To get data convergence we have used in CNAT (resp. CCOLORj another function minnat (resp. 
mincolorj that computes the minimum value. The sorts Char, Nat and Color are built-in. D 

For a concise presentation and without loss of generality, we shall omit the observable-sorted argu- 
ments from methods and attributes. We could suppose we have one function for each of its possible 
arguments. For instance, method putchar (c) may be replaced by putcharc for every c G CHAR. 

Definition 3.6 ((My4)-Complete). Given a component specification 'W = {L,M,A,T,E). The set E is 
fM.Aj-complete iff all equations involving M have the form C =^ a{Do{m,x)) = t, where x is a variable 
of sort State, a G A, m GM, f G Ty\m{{^}) andC is a finite set of visible pairs t\ = t[, tj =4' • • ■> ^« = ^n 

where ti, t[ G T^{X),,, tj, t'^ G T^{X),^, . . ., ?„, t',^ G T^{X),,,. U 

In Example 13.51 component specification CCHAR is (MA)-complete as the only axiom involving 
methods {i.e., axiom (1)) has the required form. CNAT and CCOLOR are also (MA)-complete. In the 
remaining of this paper, we restrict our intention to component specification which are (MA)-complete. 

As a component specification has an observational signature with one non-observable sort. State, 
then the observable contexts have the following form: a{Do{mn, ■ ■ ■ ,Do{m\,s)) where mi,..., m„ are 
methods and a is an attribute. 

Definition 3.7 (Specification morpliisms). Given two collaborative component specifications ^ = 
{L,M,A,T,E) and '^' = {l.',M',A',T',E'), a specification morphism ^ : '^ ^ 'if' is a signature mor- 
phism <I> : £ ^ I' such that: (i) <I>(M) C M'; (ii) 0(A) C A'; (Hi) E' Y=fibs *^(^) for each e^E. D 

Definition 13 . 7 [ provides a support for reusing component specification through the notion of specifica- 
tion morphism. Moreover, it exploits the fact that the source component specification is (MA)-complete 
by only requiring the satisfaction of finite number of equations (see condition (///)). Note that Def- 
initions 13.31 and 13.71 have been used for defining the static composition that enables us to build up a 
composite object from Si fixed number of other collaborative objects Q. For instance, SIZEDCHAR is 
the composition of CCHAR and CNAT denoted by SIZEDCHAR = CCHAR © CNAT. This composition may be 
associated to an object with a character value and an attribute for modifying the font size. Due to limited 
space, the reader is referred to L5J for more details. 

3.3 Convergence Properties 

Before stating the properties that a component specification '^ = {JL,M,A, T,E) has to satisfy for ensuring 
convergence, we introduce some notations. Let mi, m2, - . . , wj„ and s be terms of sorts Meth and State 
respectively: 

1. applying a method sequence on a state is denoted as: 

{s)[mi;m2',...',m„] = Do{mn,. . . ,Do{m2,Do{mi,s)) . . .) 
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2. Legal {[mi',m2\ ■ ■■ ;m„],5') =Poss{mi,s) APoss{m2, {s)mi) A . .. APoss(m„, {s)[mi;m2',.-. ;m„_i]). 

3. IT*{m,[]) =m and /r*(m, [mi;m2;. . . ;m„_i]) = /r*(/r(m,mi), [m2;. . . ;m„_i]) where [] is an 
empty method sequence. 

TPl expresses a state identity between two method sequences. As mentioned before, we use an 
observational approach for comparing two states. Accordingly, we define the condition TPl by the 
following state property (where the variables st, m\ and m2 are universally quantified): 

CP\ = {Legal{seqi,s) = true ALegal{seq2,s) = true) =^ {s)seqi = {s)seq2 

where seqi = [mi;IT{m2,mi)] and seq2 = [m2',IT{mi,m2)]. 

Let M' C M be a set of methods, we denote CP\ \m' as the restriction of CP\ to M'. Let Mi ,M2 C M 
be two disjoint sets of methods, we define CPI\mi.M2 ^^■ 

CP1\mi,M2 = {Legal {seqi, s) = true A Legal {seqj,s) = true) =^ {s)seqi = {s)seqj 

where seqi = [mi;IT{mj,mi)] and seqj = [mj;IT{mi,mj)] such that m,- € M,- and nij € Mj for all i ^ j G 
{1,2}. 

TP2 stipulates a method identity between two equivalent sequences. Given three methods ni\,m2 and 
ms, transforming m^ with respect to two method sequences [m\;IT{m2,m\)] and [m2;IT{m\,m2)] must 
give the same method. We define TP2 by the following property: 

CP2 = IT*{mT,, [nii; IT {m2, nil)]) = lT*{mj,, [m2\IT{mi,m2)]) 

Let M' C M be a set of methods, we denote CP2\m' as the restriction of CP2 to M' . Let Mi ,M2 C M 
be two disjoint sets of methods, we define CP2\mi.M2 as: 

CP2|m,,M2 = IT*{m, [m';IT{m" ,m')]) = IT*{m, [m";IT{m',m")]) 

such that m' £ Mi, m" € Mj and m G M^ for all j, j, A: € { 1 , 2} with ^ / / or ^ / j. 
The following definition gives the conditions under which a component specification ensures the data 
convergence: 

Definition 3.8 (Consistency). ^ is said consistent iff^ \=obs CPl ACP2. 

4 Dynamic Composition 

In this section, we present a construction that enables us to combine an arbitrary number of the same 
collaborative object according to a given structure (we will call it composition pattern). In other words, 
such objects are created and deleted dynamically. Thus, the obtained object has no static structure. 

4.1 Basic Definitions 

Definition 4.1 (Composition Pattern). A composition pattern is a parametric specification '^ = 

{PA,'^) where : 

• PA = {'Lpa,Epa), called formal parameter, is an algebraic specification; 

• ^ = {11, M, A, T,E), called body, is a collaborative component specification (or a component); 
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such that the following conditions hold: (i) Spa = {Eleni,Bool}; (ii) ZpA C T; (Hi) EpA C E; (iv) there 
exists a method symbol m ^ M containing at least one argument of El em sort; this method is called 
parametric method (v) there exists an attribute symbol a £A such that either its result is o/Elem sort or 
one of its arguments is Elem sort; a is called parametric attribute. 

We let ^, ^ , "^1, ^2. • • •> denote the composition patterns. D 

Example 4.2 The composition pattern PSET = [PA,^) describes finite sets with parametric element: 
Formal parameter PA gives the properties of parameter sort Elem; 



Body "^ is collaborative object reprsenting data set o/Elem sort: 



spec PA = 
sorts : 

Elem Bool 
opns : 

eq : Elem Elem -> Bool 
axioms : 

(1) eq(x,y)=eq(y,x); 

(2) eq(x,y)=true , eq(y,z)=true => eq(x,z)=true ; 



spec C = 
sorts : 

Set Elem Bool 
opns : 

empty : -> Set 

Do : Meth Set -> Set 

nop : -> Meth 

add : Elem -> Meth 

remove : Elem -> Meth 

Poss : Meth Set -> Bool 

iselem : Elem Set -> Bool 

IT : Meth Meth -> Meth 
axioms : 

(1) Poss (nop,st)=true ; 

(2) Poss (add(x) ,st)=true; 

(3) iselem(x,st)=true => Poss (remove (x) , st)=true; 

(4) iselem(x,st)=f alse => Poss (remove (x) , st)=false; 

(5) eq(x,y)=true => iselem(x,Do(add(y) ,st) )=true; 

(6) eq(x,y)=f alse => iselem(x,Do(add(y) ,st) )=iselem(x,st) ; 

(7) eq(x,y)=true => iselem(x,Do(remove(y) ,st) )=f alse; 

(8) eq(x,y)=f alse => iselem(x,Do(remove(y) ,st) )=iselem(x,st) ; 

(9) eq(x,y)=true => IT(add(x) ,add(y))=nop; 

(10) eq(x,y)=false => IT(add(x) ,add(y))=add(x) ; 

(11) lT(add(x) , remove (y))=add(x) ; 

(12) eq(x,y)=true => IT (remove (x) , remove (y) )=nop; 

(13) eq(x,y)=f alse => IT (remove (x) , remove (y) )=remove(x) ; 

(14) IT(remove(x) ,add(y))=remove(x) ; 



D 



In the following definition, we give under which conditions a collaborative component can substitute 
a formal parameter in a composition pattern. 

Definition 4.3 (Admissibility). Given ^ = {PA , '^) a composition and ^i = (Zi , Mi , A i , Ti , £"1 ) a com- 
ponent such that (£ \ Zp^ ) H Zi = f/. e. no similar names). Component '^\ is said admissible for^ if for 
all axioms e G EpA, E\ \=obs *^(^). where <I> : 'LpA -^ Zi is a signature morphism with <I>(Elem) = State^^j 
and <I>(Bool) = Bool. D 
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Consider the character component CCHAR = {lli,Mi,Ai,Ti,Ei) given in Example 13.51 This compo- 
nent is admissible for the pattern PSET (see Example 14.21 ) by using the following morphism: <I>(Elem) = 
StateccHAR and <I>(eq) = (=o^™). This enables us to build up a set of characters. 

Substituting a formal parameter by an admissible component enables us to build a new component. 

Definition 4.4 (Instantiation parameter). Let ^\ = {PA^'^x) he a composition pattern. Given ^2 = 
{L2,M2,A2,T2,E2) an admissible component for '^\ via a signature morphism <I> : Zpa -^ ^2- The 
instantiation 0/^1 by ^2. denoted by 'ifi[PA ^ ^2\^, is the specification {L,M,A,T,E) such that: 

(i) L = L2U^{Lpa) U {L\Lpa) ; (ii) M = <I>(Mi) ; (Hi) A = <I>(Ai) ; (iv) T = ^{n) ; (v) E = £2 U<I>(£i). 
D 



Although the below definition (see Definition 14. 5 1 ) may seems rather complicated to understand, it is 
just a mathematical formulation of some simple ideas how to build a complex component - with dynamic 
structure - from a composition pattern ^1 and an admissible component ^2' 

• The formal parameter of ^1 is replaced by an admissible component "^2 in order to build a new 
component '^. 

• This new component ^ is extended by a new method Update whose role is to connect the ^I's 
state space with the "^2's state space. In other words, the use of Update means that changing the 
state of ^2 implies changing the state of "^i . 

• Axioms given in (iv) show how to transform Update. On the one hand, we have to add axioms to 
define how to transform Update against other methods of '^1. On the other hand, when modifying 
the same object of '^2 we use the transformation function related to '^2- But, the modification of 
two distinct objects of "^2 can be performed in any order (there is no interference). 

• Axioms given in (v) state how attributes are altered by the method Update. 

Definition 4.5 (Dynamic Composition). Given a composition pattern ^1 = {PA,'io\), a com- 
ponent '^2 = (^2)^2)^25 72)£^2) cind a signature morphism <I> : Zp^ -^ ^2- ^^^ Update : 
si...Sn Statecjfj State<r^2 ~^ Meth be a method symbol. The specification "^ = {L,M,A,T,E) is said a 
dynamic composition 0/^2 with respect to '^\ (denoted '^\X€t\) iff '^2 is admissible for ^1 via <I>, and 
^ = Wi[PA ^ '^2]<s> U (r',M',A', T',E') such that: 
(i). r' = {S',F') with S' =5'2U<I>(5i) andF' = {Update}. Method \jTpda.te{U ,x,y) means the replace- 
ment of the old value x by the new one y. The value y is considered as the result given by applying 
a method of ^2 on x (U denotes a sequence of variables x\, . . ., x„). 

(//). M' = {Update(?7,x,y) \x,y are variables of sort State^^f, and U is a variable of sort S*/}; 

(Hi). A' = 0; 

(iv). Le u\ = Update([/,x,Doc^2('"i)-''^)) '^^^ "2 = ^'pdz.te{U' ,x' ,Do^g^{m2,x')) be two methods where 
m\, m2 G ^2- For every method m € ^{M\), we have: 

T' =Ax{IT{ui,m)) UAx{IT{m,ui)) UAx{IT{ui,U2))) 

such that Ax (IT (u I, U2)) contains the following axioms: 

U = U' Ax = x' =^ IT{ui,U2)=u[ 
x^x ==^ lT{u\ , M2) = u\ 
U ^U =^ IT{ui,U2) = ui 

with u\ ='[5^Aa.te{U ,Docg^{m2,x') ,Do^g^{lTg^{m\,m2) , Do'g^_{m2,x'))). 
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(v). For each attribute symbol a: s\... s[^ -^ s', we have 

E' = Ax{Poss{\i^d3Xe{U ,x,y),st)) \JAx{a{Z,Do{\5^daXe{U ,x,y),st))) 

where Ax{a{Z,Do{\i'pdBXe(y,x,y), St))) is defined as follows: 
(a) a is the instance of a parametric attribute whose one of its arguments is of sort ^{Elem): 

C[Z,x' ,U,x,y,st] =^ a{Z,x' ,Do{\]pda.te{U,x,y),s)) = est 



C[Z,x',U,x,y,st] =^ a{Z,x ,Do{l}Tpda.te{U,x,y),st)) = a{Z,x ,st) 



with est is constant of sort s' and C[Z,x' ,V,x,y,st] (C[Z,x',V,x,y,st] is its negation) is a 
formula (containing free variables) built up of conjunction of observable equations in such a 
way that C[Z,x' ,U ,x,y,st] AC[Z,x' ,U',x,y,st] is false whenever U 7^ U'. 
(b) a is the instance of a parametric attribute with s' = (i>{Elem): 

C'[Z,U,st] =^ a{Z,Do{\Jpda.te{U,x,y),st)) =y 



C'[Z,U,st] =^ a{Z,Do{\Jpda.te{U,x,y),st))=a{Z,st) 

where C'[Z,U,st] (and its negation) is a formula (containing free variables) built up of con- 
junction of observable equations in such a way that C' [Z, U , st] l\C'\Z^ U' ,st] is false whenever 

(c) a is not the instance of a parametric attribute: a{Z,Do{\i'pdz.te{U ,x,y)^st)) = a{U ^st). 
The notation Ax{f) means the set of axioms used for defining function f. D 




^setchar) 
Figure 3: Dynamic Composition. 

Example 4.6 Figure \4.1\ shows the dynamic composition of CCHAR (see Example IJ.5D with respect to 
PSET (see Example \4.2i . via the following morphism (i>{Elem) = StateccHAR <^nd <I>(eg) = (=off'^^)- 
Note that and & are only inclusion morphisms / liOl H]/. The composition proceeds by the following 
steps: 

1. The instantiation o/PSET via 0, i.e. SETCHAR = ^{PSET) ; 

2. Add to SKICEAR a new method Updaite : StatecHAnStatecHAR^ Methwith the following axioms: 

(a) Transforming Update methods (see Definition \4. 5\ (iv ) ); 

(16) cl = c2 => IT(Update(cl,c2) ,Update(c3,c4)) = Update(c4,c' ) 

(17) cl <> c2 => IT(Update(cl,c2) ,Update(c3,c4)) = Update(cl,c2) 
where c '=Do_CCHAR(IT_CCHAR(ml ,m2) , c4), ml and m2 are methods 0/ CCHAR such that 
cl = Do_CCHAR(ml,cl) anJ c4 = Do_CCHAR(m2,c3). 
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(b) Axioms for defining function Poss: 

(18) iselem(c,st)=true => Poss(Update(c,cO ,st) = true 

(19) iselem(c,st)=false => Poss(Update(c,cO ,st) = false 

(c) axioms for all attributes observing the effects of Update (see Definition \4. 5\ (v)} : 

(20) c = c2 => iseleni(c,Do(Update(cl,c2) ,st) ) = true 

(21) cl <> c2 => iselem(c,Do(Update(cl,c2) ,st)) = iseleiii(c,st) 

D 

4.2 Illustrative Example 

In word processor softwares (such as MicroSoft Word), a document has a hierarchical structure. It 
contains not only text but also formatting objects (font, color, size, etc). Typically, a document is divided 
into pages, paragraphs, phrases, words and characters. A formatting object may be found in each of these 
levels. Several collaborative editors rely on this document structure, as CoWord |91 that is a collaborative 
version of MicroSoft Word. Now we will present how to model this document structure using a dynamic 
composition. Note that each level has a linear structure, except of characters. So, we use a composition 
pattern STRING that represents a sequence of elements. The formal parameter Elem of STRING can be 
substituted by any component. Moreover, this pattern has two methods: (i) Ins (p, e ,n) to add element 
e at position p; (ii) Del(p,n) to remove the element at at position p. The argument n is the identity of 
the issuer (user or) site. 

Suppose we want to equip the document with formatting objects such as the size and color. So, 
consider the components CCHAR (a character component), GNAT (a size component) and CCOLOR (a color 
component) (see Example 13.51) . The basic element in our structure document is the formatted character 
(an object character with color and size attributes), FCHAR that is obtained by a static composition Q: 
FCHAR = CCHAR GNAT GGOLOR. 

A formatted word is a sequence of formatted characters that is built up by dynamic and static com- 
positions: WORD = STRING[FGHAR] and FWDRD = WORD GNAT GGOLOR. 

The remaining levels are built up in the same way: 

SENTENCE = STRING [FWORD] and FSENTENCE = SENTENCE GNAT GGOLOR 

PARAGRAPH = STRING [FSENTENCE] and FPARAGRAPH = PARAGRAPH © GNAT CCOLOR 

PAGE = STRING [FPARAGRAPH] and FPAGE = PAGE GNAT CCOLOR 

5 Correctness 

In this section, we present the correctness of our dynamic composition by enumerating the following 
properties. 

Applying Update on two distinct objects can be performed in any order. 

Lemma 5.1 Let a:si . . .Sn State —^sbe an attribute such that a is the instance of a parametric attribute. 

Given two methods U[ = \]pda.te{U,x,x') and U2 = l!pdate{V, y,y'). IfU j^V or x^y then: 

a{Z, {st)[ui;u2]) = a{Z, [st)[u2',u\\) for all states st. D 

Proof. Two cases are considered: 

First case: there is only one argument si = ^{Elem) = State>^, with / G {l,...,?i} such that: a : 

si . . .i'„_iState<^2 State — )• s. According to Definition |43] we have: 

a{Z,z, (5f)[Update([/,x,x');Update(V,3;,y)]) = a{Z,z, {st)[\]pda.te{V,y,y');l}pda.te{U,x,x')]) 
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1. U = V andx^y: 

(a) if C[Z,z,U,x,x', St] AC[Z,z,V,y,y',st] is true then est = cst; 

(b) if C[Z,z,U,x,x' , St] AC[Z,z,V,y,y' ,st] is true then est = est; 

(c) if C[Z,z.,U,x,x', St] AC[Z,z,V,y,y' , St] is true then C5'? = ci'f; 

(d) if C[Z,z,U, x,x', St] AC[Z,z,V,y,y', St] is true than ^(Z,^,^?) =a{Z,z,st); 

2. U ^V: According to Definition 14. 5 1 we have C[Z,z,U,x,y,st] AC[Z,z,U' ,x,y,st] is false whenever 
that U / U'. Three cases are possible: 



(a) if C[Z,z,U,x,x' , St] AC[Z,z,V,y,y' ,st] is true then est = est; 

(b) if C[Z,z,U,x, x', St] AC[Z,z,V,y,y', St] is true then est = est; 

(c) if C[Z,z,U, x,x', St] AC[Z,z,V,y,y', St] is true then 0(2,2,5?) =a{Z,z,st); 

Seeond ease: s = ^[Elem) = State^^^ such that: a : ^i.-.^,,-! State — )• Statecg^. 
According to Definition 14.51 we get: a(Z, (5'?)[Update(?7,x,x');Update(y,j,y)]) = 

a (Z , (i'? ) [Updat e ( V, 3;, y ) ; Updat e ([/ , jc, ;c' ) ] ) 

1. U = V and x^y : as mi and U2 are applied on state st then a{Z,st) = x and a{Z,st) = y. Thus, we 
have X = y that is a contradiction of this case. 

2. U j^V: According to Definition |43] we have C'[Z,U,st] AC'[Z,U',st] is false whenever U / U'. 
So, we have the following cases: 



(a) if C'[Z,U, St] AC'[Z,V, St] is true then/ =x'; 

(b) if C'[Z,U,st] AC'[Z, V, st] is true then x' =x'; 

(c) if C'[Z,U,st]AC'[Z,V,st] is true then a(Z,5f) =a{Z,st); D 

If two Update methods ui and M2 modify two distinct objects respectively then both sequences 
[mi;m2] and [m2;mi] have the same effect. 

Lemma 5.2 Let ui = Update(L'^,x,x') and uj = Update(y, j, j') be two methods. For all states st, if 
U ^V or x^y then [st)[u\;u'2\ =obs ist)[u2;ui]. D 

Proof. Consider an arbitrary context C[st] = a ■ mi ■...■ nin for n > with a G A and m; G M such that 

/ G {1,. . . ,«}. Next we have: C[(5f)[Mi;M2]] = C[(i'?)[M2;"i]]- 
It is sufficient to prove by induction on n that: 

a{Z,{st)[ui;u2;mi{Xi);...;m„{Xn)]) = a{Z,{st)[u2;ui;mi{Xi);. . .;mn{Xn)]). 

Basis induetion: For n = and C[st] = a we have: 

a{Z,{st)[ui;u2]) = a{Z,{st)[u2;ui]). (1) 

To prove Equation ([T]) we have to consider two cases: 
(i) a is the instance of a parametric attribute: Equation ^ is then true by using Lemma |5?T] 



(ii) a is not the instance of a parametric attribute: According to Definition 14.51 we have 

a{Z, (st)[ui;u2]) = a{Z,st) and a{Z, (st)[u2;ui]) = a{Z,st). 
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Induction hypothesis: For n > a{Z,{st)[ui;u2',mi{Xi);. . .;mft(X„)]) = 

a{Z,{st)[u2;ui;mi{Xi);...;nt„{X„)]) 

Induction step: We show now if C'[5f] = a-m\- . .. -mn-nin+i th&n C[{st)[u\;u2]] = C[{st)[u2;u\\]. Let 
st\ = {st)[ui;u2',nii{X\)\ . . .\mn{Xn)\ and 5^2 = {st)[u2',ui;m\{Xi); . . . ;m„(X„)]. By induction hypothesis 
we deduce that st^ =obs st2. As =0^ is a congruence then a{Z, (5fi)[m„_|_i]) = a{Z, {st2)[ni„j^\]). D 

The dynamic composition of a consistent component with respect to a consistent composition pattern 
produces a new component that satisfies CP\ for all Update methods. 

Theorem 5.3 Given a composition pattern '^\ = {PA,'^i) and a component '^2 = (^2)^21^2; Tii^^i)- 
Let '^ = {^,M^A^ T,E) be the dynamic composition of ^2 with respect to '^i. If^i and '^2 are consistent 
then E \=obs CP\ \m' with M' is the set of Update methods. D 

Proof. CP\ \mi is defined as follows: 

(5?)[Update(X,M,v);/r(Update(y,M',v'),Update(X,M,v))] = 
(5?)[Update(F,M',v');/r(Update(X,M,v),Update(F,M',v'))] 

where v = Docg^{mi{y),u) and V = Do-^g^{m2{W),u') with m\ and m2 are methods in '^2- According to 
Definition 14. 5 1 we consider two cases: 
First case: X = Y and u = u' 

CPl \m' is rewritten as follows: 

(5f)[Update(X,M,v);Update(y,v,Do<:^2(^^«?2('«2(W^),'«i(V)),v))] = 
(5?)[Update(F,M,v');Update(X,v',Do.^,(/7I^,(mi(y),m2(W)),v'))] 

As V = Do^g^{mi{V),u), v' = Do-:g^{m2iW),u) and "^2 is consistent then 

Do^,{IT.e,{m2{W),m,{V)),v)=Do^-e,{lT^g,{m,{V),m2{W)),v') = «" 

Thus we get: (5?)[Update(X,M,v);Update(F,v,M")] = {st)[Update{Y,u,v');Update{X,v' ,u")] that 
is true. 
Second Case: X ^Y or u^ u' 

CPl \m' is rewritten as follows: 

(5f)[Update(Z,M,v);Update(y,M ,v )] = {st)\[Jpda.te{Y,u ,v );Update(X,M,v)] 

This equation is always true according to Lemma [5^ D 

The dynamic composition of a consistent component with respect to a consistent composition pattern 
produces a new component that satisfies CPl for all Update methods. 

Theorem 5.4 Given a composition pattern '^\ = {PA,'rf[) and a component '^2 = i'^i,M2,A2,T2,E2). 
Let ^ = (£,M,A, T,E) be the dynamic composition 0/^2 with respect to '^\. If^\ and '^2 are consistent 
then E \=obs CPl |m' with M' is the set of Update methods. D 

Proof. Let up = Update(/?,v,w), up\ = Update(P,x,y) and up2 = Update(2,z,f) be three methods, 
where w = Do'g^{m{Z),v), y = Docg^{m\{y) ,x) and t = Do-:g^{m2iW) ,z) with m, m\ and m2 are methods 
in "^2- Condition CPl \i^i is defined as follows: 

IT* {up., [upi;IT{up2,up\)]) = IT*{up, [up2',IT{upi,up2)]) 
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According to Definition |43] we consider two cases: 
First case: P = Q and x = z 

CP2 \m' is rewritten as /r*(Mp, [mpi;mp2]) = IT* {up ,[up2;up\\) wiiere: 

and 

Two cases are possible: 

1. R = P and v = x.\n this case we get: 

Update(/?,Mi,Do<^2("^')"i)) = Update (/?,M2i^o^2(m", M2)) where 
Mi^Do.^,(/7V,(m2(W),mi(y)),Do(mi(V),x)) 

m'^lT.}^{m{Z),[my{V);IT^,{m2{W),mi{V))]) 
U2=Do^^,{IT^,{m,{V),m2{W)),Do{m2{W),z)) 
m"^IT.}^{m{Z),[m2{W)-IT.^,{m,{V),m2{W))]) 

Since "^2 is consistent, then u\ = U2 and m' = m" . Consequently, the above equation is true. 

2. Ry^P ovv y^x. We have IT*(up, [upi;up2]) = up and IT*{up, [up2;up\]) = up. 
Second case: P ^ Qor x^ z CP2 \m' is rewritten as follows: 

/r*(Update(/?,v,w), [Update(P,x,3;);Update(2,z,0]) = 
/r*(Update(/?,v,w),[Update(e,z,f);Update(P,;t:,3;)]) 

Three cases are considered: 

1. R = P and v =x. We get: 

Update(/?,Doc^,(mi(y),x),Do^,(/%,(m(Z),mi(y)),Do(mi(y),x))) = 
Update(/?,Do.^,(mi(y),x),Doc^,(/r^,(m(Z),mi(y)),Do(mi(V),x))) 

2. R = Qandv = z. We get: 

Update(/?,Do<r,(m2(W),z),Do.^,(77V2(m(Z),m2(W)),Do(m2(W),z))) = 
Update(/?,Z)o^,(m2(W),z),Z)o^,(/r^,(m(Z),m2(W)),Z)o(m2(W),z))) 

3. Pt^P, /?/2, v/xorv/z. WegetUpdate(/?,v,w) = Update(/?,v,w). 



D 



The following theorem is very important since it stipulates that the consistency property is preserved 
by dynamic composition. 

Theorem 5.5 Given a consistent composition pattern '^\ = {PA,^\) and a consistent component '^2 = 
(r2;-'W2;A2,72,£'2). Let '^ = (LjMjAjTjE) be the dynamic composition ^2 with respect to '^\ via the 
morphism <I>. IfE \=obs CP\ \m' MM\) ^^^ ^ \=ohs CP2 |m',<i>(Mi) f^^f^ ^ '■* consistent where M' is the set 
Update methods. D 
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Proof. Assume that E \=ohs CPl \m'.<p(Mi) ^^i^ E \=ohs CP2 \m'.<p(Mi)- By definition, 'tf is consistent iff 
E\=obsCPlACP2. 

1. Proof of E \=ohs CPl. Condition CPl can be expressed as follows: 

CPl ^ CPl \m' A^iCPl Im,) ACPI |m',<i.2(m0 

As "^1 is consistent and according to Theorem [53] CPl is then satisfied. 

2. Proof of E \=obs CP2. Condition CP2 can be given as follows: 

CP2 ^ CP2 \m' A^iCPl ImJ ACP2 \m'.<p,(m,) 
Since ^i is consistent then CP2 is true (By Theorem I5.4I ). D 

6 Conclusion 

In this work, we have proposed a formal component-based design for composing collaborative objects. 
We have dealt with the composition of arbitrary number of collaborative objects by using a dynamic 
composition in such a way the objects are created and deleted dynamically. Moreover, we have provided 
sufficient conditions for preserving PPl and rP2 by the dynamic composition. 

As future work, we intend to study the semantic properties of static and dynamic compositions. 
Finally, we want to implement these compositions on top of the verification techniques given in [6j Jl. 
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